Advertisers Secretly Steal Your Emails Right from Your Browsers to Track You Across the Web

Tech has become the new villain of this world, with industry leaders trying to collect as much data as possible and advertisers scrambling to accurately track and target users with relevant ads. In a latest of these unending stories, advertisers are now using browser-based password managers to secretly steal email addresses and track users across the web potentially tying them with their browsing history even if cookies are removed.

Password management tools (whether built-in browser features or third party) have become a necessity since they ensure your passwords are unique for all the websites and you aren’t required to remember each one of them, as well. However, they could also be unwittingly leaking your data to advertisers. According to a Princeton’s Center for Information Technology Policy research, advertising companies can pull data from a browser-based password manager, potentially leaking all email-password combinations.

“Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form,” they wrote.

Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don’t require user interaction to autofill password fields.

Thus, third-party javascript can retrieve the saved credentials by creating a form with the username and password fields, which will then be autofilled by the login manager.

When you aren’t logged into a site, your password manager automatically fills data to log you in. Advertisers are essentially abusing this convenience by adding fake and invisible login scripts that password management add-on would start automatically filling out. While the app is doing what it is supposed to do, the auto-fill feature enables advertisers to steal your data, if not passwords in all the cases.

First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.

Not all password management browser add-ons are vulnerable to this type of attack, though. 1Password, for example, requires an action from the user to trigger password fill, avoiding completely automatic process.

On why the advertisers are going after email hashes, Princeton researchers noted that the email address can be used to connect the crumbs left online “across different browsers, devices, and mobile apps,” adding that these hashes also “serve as a link between browsing history profiles before and after cookie clears.”

If you want to stay secure from this type of advertiser track attack, just go to your browser or password manager’s settings and disable autofill or automatically fill to ensure your password manager always requires your consent before automatically filling in data.